malware::analysis

1. snapshot VM / isolate network
2. hash sample
3. identify file type / packer / architecture
4. static triage: strings, imports, sections, resources
5. dynamic run only when ready to observe
6. collect dropped files, registry keys, callbacks
7. pivot to YARA / Sigma / detection notes

sha256sum sample
file sample
strings -a -n 6 sample | less
rabin2 -I -i -S -zz sample
peframe sample.exe
exiftool sample

# hunt for
- URLs / IPs / domains
- powershell / cmd / rundll32 / regsvr32
- mutexes, service names, task names
- suspicious section names / high entropy

rabin2 -I sample.exe
rabin2 -i sample.exe     # imports
rabin2 -E sample.exe     # exports
rabin2 -S sample.exe     # sections
objdump -x sample.exe | less

# red flags
- RWX section
- very high entropy
- few imports + tiny stub
- suspicious APIs: VirtualAlloc, WriteProcessMemory, WinHttp, InternetOpenUrl

upx -t sample.exe
binwalk -e sample
diec sample.exe      # Detect It Easy

# if packed
- run in VM
- dump memory after unpack
- compare strings/imports before and after
- carve embedded config or second stage

windows
Procmon / Process Explorer / TCPView / Wireshark / Regshot / API Monitor

linux
strace / ltrace / tcpdump / inotifywait / gdb

sandbox
INetSim / FakeNet-NG / REMnux style tooling

- spawned processes
- file writes / dropped payloads
- registry changes
- mutexes
- network destinations, URIs, User-Agent
- decoded PowerShell / command lines
- persistence attempt
- crash message or anti-analysis behavior

vol -f mem.raw windows.pslist
vol -f mem.raw windows.dlllist
vol -f mem.raw windows.cmdline
vol -f mem.raw windows.netscan
vol -f mem.raw windows.malfind

# dump suspicious region / process if needed

- IOC list: hashes, paths, mutexes, domains, IPs
- YARA seed strings
- Sigma / event log ideas
- command sequence observed
- timeline with first-seen / last-seen times